Low-Cost Cybersecurity and Critical Infrastructure Protection

Original Broadcast 10/7/25

 

Presented by Carahsoft

Cybersecurity is often viewed as expensive and resource-intensive, but the most effective protections can be remarkably simple and inexpensive. That was the central point made by Jermaine Roebuck, Associate Director for Threat Hunting at the Cybersecurity and Infrastructure Security Agency (CISA), during the AFCEA and INSA Intelligence and National Security Summit. He explained that basic cyber hygiene practices—often overlooked—can drastically reduce the risk of compromise, especially in critical infrastructure sectors like water, energy, and transportation.

Roebuck highlighted several low-cost measures that organizations can adopt immediately. The first is changing default passwords to more complex, secure ones. It is a seemingly obvious step, but one that remains a major weakness across critical systems. He pointed out that many water utilities, for example, continue to use default configurations, leaving themselves exposed to even unsophisticated attackers.

Screenshot 2025-10-01 at 10.21.41 PMAnother common vulnerability arises when operational technology (OT) systems are connected to the internet. Engineers and technicians often add connectivity to enable remote access, avoiding the need to drive hours to service equipment. But if that access is not secured, it creates an open door for attackers. Roebuck stressed that virtual private networks (VPNs), logging, and phishing-resistant multi-factor authentication (MFA) are low-cost ways to secure these environments while preserving convenience.

Beyond these basics, Roebuck recommended isolating IT and OT systems with a demilitarized zone (DMZ). While implementing a DMZ requires greater investment than changing passwords or enabling MFA, it is a critical step for separating sensitive operational networks from more vulnerable enterprise systems. This separation makes it far more difficult for attackers to pivot from business networks into systems that control essential infrastructure.

If the solutions are straightforward and often inexpensive, what prevents their widespread adoption? Roebuck argued that the barrier is cultural, not financial. OT engineers and technicians possess deep technical expertise in control systems, but many lack a cybersecurity background. Their focus is often on efficiency and uptime rather than risk reduction. “A lot of what they do is, how do I make it quick and easy so I can access these systems remotely?” he explained. Without greater awareness of the risks, convenience often outweighs security.

That is why education and outreach remain central to CISA’s mission. Roebuck described how the agency partners with organizations like the Environmental Protection Agency and the Department of Energy to reach critical infrastructure providers. CISA maintains regional offices whose staff regularly visit utilities in person, building relationships and spreading awareness of best practices. The agency also publishes resources online, including its Cybersecurity Performance Goals, which provide a set of baseline, achievable security measures.

Screenshot 2025-10-01 at 10.21.55 PMRoebuck cautioned that the threat landscape is evolving rapidly, and even basic hackers are finding success against organizations that fail to implement foundational defenses. He cited the water sector as a vivid example. With 50,000 water utilities across the United States—many serving fewer than 10,000 customers—the sheer scale of the sector makes it difficult to secure. Hacktivists and ransomware operators actively scan for exposed systems, often armed with freely available tools. When they find default passwords or unsecured connections, they can disrupt operations with little effort.

While hacktivists may begin with relatively unsophisticated actions like distributed denial-of-service attacks or website defacements, Roebuck noted that many quickly escalate when they realize they can generate more notoriety by directly impacting physical systems. Even minor disruptions to water or energy utilities can cause widespread public concern. Ransomware operators, meanwhile, often target IT networks, knowing that even if they do not directly compromise OT systems, they can cause operators to shut them down as a precaution.

Nation-state adversaries present an even more serious challenge. Roebuck pointed to the Chinese state-backed group known as Volt Typhoon, which has infiltrated critical infrastructure networks with the intent of lying dormant until a future conflict. Unlike hacktivists, nation-state actors are patient, sophisticated, and strategic. Their goal is not immediate disruption but the ability to hold infrastructure at risk in the future.

Roebuck’s comments underscore the growing convergence of threats facing critical infrastructure providers. Hacktivists, criminal ransomware groups, and nation-state actors each pursue different objectives, but they often target the same vulnerabilities. That means even basic measures—password changes, MFA, network segmentation—can mitigate risks across all categories of attackers.

The challenge now is scale. With tens of thousands of utilities and operators across the country, ensuring that all adopt even the simplest safeguards is daunting. That is why CISA’s outreach, partnerships, and performance goals are so important. By making security practices accessible and achievable, the agency hopes to raise the baseline across sectors.

Roebuck’s message was clear: organizations should not wait for major investments or new technologies to begin securing their systems. The most impactful steps are already available, often at little or no cost. Cybersecurity may be a complex field, but its foundation is built on simple, achievable actions that every organization can take.

Key Takeaways

  • Basic cyber hygiene, such as changing passwords and enabling MFA, can stop a large share of attacks at little cost.

  • The greatest barrier to stronger security in critical infrastructure is cultural, not financial, as OT engineers often prioritize convenience over risk reduction.

  • Hacktivists, ransomware groups, and nation-state actors are converging on the same vulnerabilities, making baseline protections more important than ever.

Join our Newsletter

Please fill out the requested information below